Allow root to run puppet lookup --compile (#273)

#205 broke `puppet lookup --compile`, which is essential to troubleshoot Hiera lookups when using the
top-scope manifest variables in the stock manifests/site.pp. The defaults introduced in that patch
assumed that the Puppet user is the user executing the command/process.  If the user is root using the
default umask of a SIMP server, this result in files that the Puppet Server's puppet user will not be able 
to read.

This patch uses the Puppet settings to look up the configured Puppet user instead of the owner of the
current process.

Fixes #267

CHANGELOG

@@ -1,3 +1,7 @@
+* Thu Dec 16 2021 Chris Tessmer <[email protected]> - 4.10.3
+- Fixed
+  - Permit root user to run `puppet lookup --compile` without borking passgen
+
 * Thu Dec 16 2021 ke5C2Fin <[email protected]> - 4.10.2
 - Fixed
   - Call `klist -s` instead of `klist` to properly handle cache issues

lib/puppet/functions/simplib/passgen/legacy/passgen.rb

@@ -27,10 +27,10 @@
   #        * `1` => Add reasonably safe symbols
   #        * `2` => Printable ASCII
   #   * `user` => user for generated files/directories
-  #        * Defaults to the user compiling the catalog.
+  #        * Defaults to the Puppet user.
   #        * Only useful when running `puppet apply` as the `root` user.
   #   * `group => Group for generated files/directories
-  #        * Defaults to the group compiling the catalog.
+  #        * Defaults to the Puppet user.
   #        * Only useful when running `puppet apply` as the `root` user.
   #   **private options:**
   #   * `password` => contains the string representation of the password to hash (used for testing)
@@ -61,8 +61,8 @@ def passgen(identifier, modifier_hash={})
     scope = closure_scope
 
     settings = {}
-    settings['user'] = modifier_hash.key?('user') ? modifier_hash['user'] : Etc.getpwuid(Process.uid).name
-    settings['group'] = modifier_hash.key?('group') ? modifier_hash['group'] : Etc.getgrgid(Process.gid).name
+    settings['user'] = modifier_hash['user'] || Puppet.settings[:user]
+    settings['group'] = modifier_hash['group'] || Puppet.settings[:group]
     settings['keydir'] = File.join(Puppet.settings[:vardir], 'simp',
       'environments', scope.lookupvar('::environment'),
       'simp_autofiles', 'gen_passwd'
@@ -321,23 +321,22 @@ def lockdown_stored_password_perms(settings)
     Find.find(settings['keydir']) do |file|
       file_stat = File.stat(file)
 
-      # Do we own this file?
+      # Does the Puppet user own this file?
       begin
         file_owner = Etc.getpwuid(file_stat.uid).name
+        file_group = Etc.getgrgid(file_stat.gid).name
 
-        unowned_files << file unless (file_owner == settings['user'])
+        unowned_files << file unless (file_owner == settings['user'] || file_group == settings['group'] )
       rescue ArgumentError => e
-        debug("simplib::passgen: Error getting UID for #{file}: #{e}")
+        debug("simplib::passgen: Error getting UID/GID for #{file}: #{e}")
 
         unowned_files << file
       end
 
       # Ignore any file/directory that we don't own
       Find.prune if unowned_files.last == file
 
-      FileUtils.chown(settings['user'],
-        settings['group'], file
-      )
+      FileUtils.chown(settings['user'], settings['group'], file)
 
       file_mode = file_stat.mode
       desired_mode = symbolic_mode_to_int('u+rwX,g+rX,o-rwx',file_mode,File.directory?(file))
@@ -356,5 +355,4 @@ def lockdown_stored_password_perms(settings)
       fail(err_msg)
     end
   end
-end
-# vim: set expandtab ts=2 sw=2:
+end

metadata.json

@@ -1,6 +1,6 @@
 {
   "name": "simp-simplib",
-  "version": "4.10.2",
+  "version": "4.10.3",
   "author": "SIMP Team",
   "summary": "A collection of common SIMP functions, facts, and types",
   "license": "Apache-2.0",